DeepAI
Log In Sign Up

Which programming languages do hackers use? A survey at the German Chaos Computer Club

There are numerous articles about the programming languages most commonly used by hackers. Among them, however, there are hardly any scientific studies. One reason might be that hackers mainly operate anonymously and are difficult to reach. This paper aims to shed light on this interesting and relevant research question. In order to find answers, we conducted a survey among the members of the German Chaos Computer Club. As one of the world's largest organisations for information security and hacking, the club provides a good basis for our study. We examine the question of which programming languages are used by hackers as well as the importance of the programming language for their work. The paper offers first insights into the topic and can provide a starting point for further research.

READ FULL TEXT VIEW PDF

page 1

page 2

page 3

page 4

06/29/2022

Programming Languages and Law: A Research Agenda

If code is law, then the language of law is a programming language. Lawy...
06/27/2020

On the Evolution of Programming Languages

This paper attempts to connects the evolution of computer languages with...
08/26/2022

Expansion and evolution of the R programming language

Change in language use is driven by cultural forces; it is unclear wheth...
06/15/2020

Taxonomy and Practical Evaluation of Primality Testing Algorithms

Modern cryptography algorithms are commonly used to ensure information s...
09/16/2018

Exploiting Errors for Efficiency: A Survey from Circuits to Algorithms

When a computational task tolerates a relaxation of its specification or...
12/18/2017

"Oh Tanenbaum, oh Tanenbaum...": Technical Foundations of Xmas 4.0 Research

Andrew Tanenbaum and his textbooks – e.g. on Operating Systems, Computer...
05/15/2018

OOP and its Calculated Measures in Programming Interactivity

This study examines the object oriented programming (OOP) and its calcul...

1. Introduction

In recent years, the Python programming language has gained the reputation to be popular among hackers [Sarwar2021, p. v]. Since Python was one of the most widely used languages in 2021, this may not come as a surprise [StackOverflow2021]. There are several online resources that support the hypothesis [Simplilearn2022][Analyticsinsight2021][calltutors2020][ubuntupit2021]. Unfortunately, there are hardly any scientific studies available on the prevalence of programming languages in the hacking community. Our paper aims to help closing this research gap. The question we try to answer is: Which programming languages do hackers use?

In order to address this research question, we conducted a survey among the members of the German Chaos Computer Club (CCC). As ”Europe’s largest association of hackers”[CCC2022], the club provides a good basis for our study. Before we explain our approach and discuss the results, the term hacker needs to be clarified. Since there is no standard notion in the scientific literature, we define the term as follows:

Definition 1.

A hacker is someone who uses his/her technical expertise to deal with computers with special regard to their security. We explicitly refer to the Chaos Computer Club’s hacker ethics [HackerEthics2022]. These form the core of the club’s hacker definition and consequently that of our study.

Some authors distinguish between ”black-hat”, ”white-hat” and ”grey-hat” hackers with respect to their ethics [Marushat2019, p. 20] [Sarwar2021, pp. 12-13]. By this definition, a white-hat hacker has no criminal intent, while black-hats use their computer knowledge for unlawful activities. Grey-hats are in between these two concepts. Raymond’s guide on how to become a hacker uses the term ”cracker” to describe malicious behaviour. According to Raymond, ”hackers build things, crackers break them” [Raymond2020]. Since we conducted our survey at the Chaos Computer Club, our research focuses on their hacker ethics, in line with Definition 1. The club’s hacker concept is not based on the black-hat/white-hat definition outlined above, but constitutes separate principles such as freedom of information and protection of private data [HackerEthics2022].

There are numerous works on hacking in the (scientific) literature. Not all of them draw a line between different groups of hackers. Whether this distinction is important for the choice of programming language is another question. Programming languages are mainly discussed from a functional standpoint in literature. Raymond, for example, mentions Python, C, Perl, and Lisp as adequate choices [Raymond2020]. Ericson provides code snippets in C[Ericson2008]. Simpson and Antill describe C as ”one of the most popular programming languages for security professionals and hackers” [SimpsonAntill_2017, p. 196]. The authors also write that hackers ”use Perl to create automated exploits and malicious bots” [SimpsonAntill_2017, p. 178]. Clark explains hacking techniques with shell scripts under Linux and Windows as well as programmatic approaches with Python and other languages [Clark2014]. Python is covered by a variety of further hacking books [O_Connor_2012], [Seitz2015], [Sinha_2017]. Since software vulnerabilities play an import role for security, Turner analysed C, Java, C++, Objective-C, C#, PHP, Visual Basic, Python, Perl and Ruby in this regard [Turner_2014].

As mentioned above, it is hard to find literature on the prevalence of programming languages in the hacking community. One reason might be that hackers often operate anonymously and are difficult to reach. Samtani et al. sidestepped this problem by exploring hacker assets in underground forums [Samtani2015]

. The authors used machine learning algorithms to classify whether code postings were written in Java, Python, C/C++, HTML, PHP, Delphi, ASP, SQL, Ruby, or Perl. This way, they could show that XSS attacks were primarily implemented in Perl, password cracks and keyloggers in Java, and finally banking vulnerabilities and Microsoft exploits in SQL

[Samtani2015, p. 35]. Our paper follows an alternative approach to shed light on this topic.

2. Approach

In May 2021 we conducted a cross-sectional survey [mcmillan1996educational] at the Chaos Computer Club. For this purpose, we have sent a link to an online questionnaire to the local and regional affiliates of the CCC (so-called Erfa-Kreise) [ErfaKreise2022]. The design of the questionnaire was inspired by the 2019 Stack Overflow Developer Survey [StackOverflow2019]

. Other sources of inspiration were the Kaggle Data Science Survey

[Kaggle2020] and Raymond’s guide on how to become a hacker [Raymond2020]. Our questions focused on programming languages as well as related topics such as operating systems and development environments. For a better interpretation of the results, we also asked the participants how important they consider the choice of programming language to be for hacking.

In our questionnaire, we used Likert scales as well as multiple choices and drop-downs. Control questions were included to ensure proper answering [raithel2008quantitative]. The survey instrument was pre-tested on 3 selected participants. Based on the pre-test we slightly revised some survey items, especially enclosed answer options and added examples and instructions.

We opened the questionnaire on 1 May and closed it on 30 May 2021. In total, we received 43 responses. As not all questions were mandatory, the number of responses for a given question may be lower than the total number of participants. It is clear that the results do not allow for a representative conclusion on our research question. Nevertheless, the study offers first insights into the topic and can serve as a starting point for further, broader research.

3. Discussion of Results

In the following, we discuss the most important results of our survey. For a better overview, we have divided the responses into several subsections.

3.1. Experience

Our first questions focused on the experience of the participants. Table 1 shows that the majority of respondents had a general programming experience of several years. A slightly different picture emerged when we asked about the specific hacking experience as presented in Table 2.

Options % Percentages # Responses
20+ years 41.86 % 18
10 - 20 years 32.56 % 14
5 - 10 years 18.60 % 8
3 - 5 years 2.33 % 1
1 - 3 years 4.65 % 2
1 year 0.00 % 0
I have never written code 0.00 % 0
Total 43
Table 1. How many years of programming experience do you have in general (hacking and non-hacking)?
Options % Percentages # Responses
20+ years 27.50 % 11
10 - 20 years 27.50 % 11
5 - 10 years 20.00 % 8
3 - 5 years 15.00 % 6
1 - 3 years 2.50 % 1
1 year 5.00 % 2
I have no hacking experience 2.50 % 1
Total 40
Table 2. How many years of hacking experience do you have?

3.2. Programming Language

When asked about the programming languages used for hacking in the last year, participants named a variety of technologies. Table 3 lists the responses in descending order.

Options % Percentages # Responses
Bash/Shell/PowerShell 72.50 % 29
Python 70.00 % 28
C 32.50 % 13
JavaScript 32.50 % 13
HTML/CSS 30.00 % 12
C++ 27.50 % 11
Go 22.50 % 9
SQL 22.50 % 9
Java 20.00 % 8
Others 20.00 % 8
Assembly 17.50 % 7
C# 15.00 % 6
PHP 15.00 % 6
Rust 12.50 % 5
Ruby 10.00 % 4
Perl 7.50 % 3
TypeScript 7.50 % 3
Kotlin 5.00 % 2
Scala 5.00 % 2
VB/VBA 5.00 % 2
Lisp 2.50 % 1
Swift 2.50 % 1
Objective-C 0.00 % 0
R 0.00 % 0
Total Respondents 40
Table 3. Which programming languages have you used for hacking in the last year? (You can choose more than one answer option)

The options of programming languages provided in the questionnaire were based on a Stack Overflow survey [StackOverflow2019], Raymond’s hacking guide [Raymond2020] and feedback from our pre-testers. Whether technologies such as HTML, Bash or SQL can be called programming languages is of course debatable. We have included them in the list anyway to avoid possible gaps in the study.

According to Table 3, shell scripts (e.g. Bash) and Python were used most frequently. It also appears that the C language family (C, C++, C#, and Objective-C) is still common. With regard to Java, the survey supports Raymond’s argument that this language is not the first choice for hackers [Raymond2020]. Table 4 shows that the language preference of the majority of participants has changed over time. Compared to programming languages used more than a year before (see Table 10 in the appendix), a shift towards shell scripts and Python can be noted. Python’s rise in popularity has been observed by other developer surveys too [StackOverflow2019] [StackOverflow2021].

Options % Percentages # Responses
yes, my preference has changed 77.50 % 31
no, I always used the same programming languages 22.5 % 9
Total 40
Table 4. Has your programming language preference changed over time?
Options % Percentages # Responses
Strongly Agree 5.0 % 2
Agree 20.0 % 8
Neither / Nor Agree 32.50 % 13
Disagree 20.00 % 8
Strongly Disagree 22.50 % 9
Total 40
Table 5. How strongly do you agree with the following statement: ”The choice of the programming language is important for hacking.”

An interesting result appears in Table 5. Many respondents (75%) did not agree that the choice of the programming language is important for hacking. Only 25% of participants agreed or strongly agreed with this statement. The prevalence of Python for hacking might therefore simply reflect the general increase in its use in recent years. Consequently, one could expect that the language preference of hackers will continue to change in future as technology evolves.

3.3. Ecosystem

We also asked the participants which operating systems (OS) they used for hacking in the last year. Table 6 shows that the majority of respondents chose a Linux-based variant. This is not surprising, since Kali Linux even provides a specific distribution for security and penetration testing [Kali2022]. When asked about the integrated development environments (IDEs), a variety of tools were selected. As evident from Table 7, Vim and Visual Studio Code were in the top five (see Table 11 in the appendix for a full list).

Options % Percentages # Responses
Linux-based 95.00 % 38
Windows 40.00 % 16
MacOS 32.50 % 13
BSD 17.50 % 7
Others 5.00 % 2
Total Respondents 40
Table 6. Which operating systems have you used for hacking in the last year? (You can choose more than one answer option)
Options % Percentages # Responses
Vim 60.00 % 24
Visual Studio Code 50.00 % 20
Others 22.50 % 9
IntelliJ 17.50 % 7
Visual Studio 17.50 % 7
Total Respondents 40
Table 7. Which integrated development environments (IDEs) have you used for hacking in the last year?(You can choose more than one answer option)

3.4. Demographics

Finally, we asked the participants about their gender identity and age. Table 8 shows that most respondents identified themselves as male. Their age varied, with the majority between 25 and 44 years old, as revealed by Table 9.

Options % Percentages # Responses
woman 2.50 % 1
man 60.00 % 24
nonbinary 12.50 % 5
prefer not to say 20.00 % 8
prefer to self-describe 5.00 % 2
Total 40
Table 8. What is your gender identity?
Options % Percentages # Responses
0 - 17 2.50 % 1
18 - 21 2.50 % 1
22 - 24 5.00 % 2
25 - 29 17.50 % 7
30 - 34 22.50 % 9
35 - 39 15.00 % 6
40 - 44 20.00 % 8
45 - 49 7.50 % 3
50 - 54 2.50 % 1
55 - 59 5.00 % 2
60 - 69 0.00 % 0
70+ 0.00 % 0
Total 40
Table 9. What is your age?

4. Conclusion

The purpose of this paper was to shed light on the question of which programming languages are used by hackers. In order to achieve that goal, we conducted a survey at the German Chaos Computer Club in May 2021. Our results show that the members were using different programming languages at the time. Shell scripts and Python were chosen most frequently. It also appears that the C language family is still common. Another important finding is that the choice of programming language does not play a vital role for hackers. Their language preference has changed over time and will presumably continue to do so in the future.

The number of responses we received does not allow for a representative conclusion. Furthermore, the survey targeted only members of the CCC. The findings might therefore be biased both regionally and in favour of a specific group. Our results do, however, add to the extremely scarce literature on the subject. The approach could serve as a model for future surveys, possibly at international level.

Appendix A Additional Questions

This section contains responses to our questionnaire that were referenced but not included in the main text.

Options % Percentages # Responses
Bash/Shell/PowerShell 47.06 % 16
Python 41.18 % 14
C 38.24 % 13
PHP 32.35 % 11
C++ 26.47 % 9
JavaScript 26.47 % 9
Assembly 23.53 % 8
Java 23.53 % 8
Others 20.59 % 7
HTML/CSS 17.65 % 6
Perl 14.71 % 5
SQL 8.82 % 3
VB/VBA 8.82 % 3
C# 5.88 % 2
Rust 5.88 % 2
R 2.94 % 1
Ruby 2.94 % 1
Go 0.00 % 0
Kotlin 0.00 % 0
Lisp 0.00 % 0
Objective-C 0.00 % 0
Scala 0.00 % 0
Swift 0.00 % 0
TypeScript 0.00 % 0
Total Respondents 34
Table 10. If your programming language preference has changed, which programming languages have you used for hacking more than a year ago? (You can choose more than one answer option)
Options % Percentages # Responses
Vim 60.00 % 24
Visual Studio Code 50.00 % 20
Others 22.50 % 9
IntelliJ 17.50 % 7
Visual Studio 17.50 % 7
Android Studio 15.00 % 6
Eclipse 15.00 % 6
Nano 15.00 % 6
Notepad++ 15.00 % 6
PyCharm 12.50 % 5
Sublime Text 12.50 % 5
Atom 7.50 % 3
IPython / Jupyter 7.50 % 3
NetBeans 5.00 % 2
PHPStorm 5.00 % 2
RubyMine 5.00 % 2
Xcode 5.00 % 2
Coda 2.50 % 1
Emacs 2.50 % 1
TextMate 2.50 % 1
Komodo 0.00 % 0
RStudio 0.00 % 0
Total Respondents 40
Table 11. Which integrated development environments (IDEs) have you used for hacking in the last year? (You can choose more than one answer option)

Appendix B Glossary

Term
Definition
CCC Chaos Computer Club
Cracker Individual using computer knowledge with malicious intent
Erfa-Kreise Local and regional affiliates of the Chaos Computer Club
Hacker See Definition 1
Keylogger Software for keystroke recording
XSS Cross site scripting

References